Abstract: The present invention relates to methods, systems and apparatus for mitigating denial of service attacks. One exemplary embodiment in accordance with the invention is a method of operating a communication system including the steps of receiving at a first device packets of a first packet flow; sending, from the first device, control information to a switch through which packets of the first packet flow pass or to a control device which controls the switch, the control information including a mask corresponding to a range of expected packet values to be used for determining which packets in the first packet flow should be dropped.

Abstract: The present invention relates to methods, systems and apparatus for mitigating denial of service attacks. One exemplary embodiment in accordance with the invention is a method of operating a communication system including the steps of receiving at a first device packets of a first packet flow; sending, from the first device, control information to a switch through which packets of the first packet flow pass or to a control device which controls the switch, the control information including a mask corresponding to a range of expected packet values to be used for determining which packets in the first packet flow should be dropped.

Abstract: The present invention relates to communications methods, apparatus and systems for correlating registrations with subsequent requests for service, e.g., calling or other services or active calls. In one embodiment requests and corresponding registrations are determined through a method of operating a session border controller (SBC) which includes the assignment of a registration instance identifier by the SBC to each registration request, sending a first message including the registration instance identifier to each user device in response to each registration request, and determining if subsequent requests correspond to the registration instance based on the registration instance identifier being included in subsequent requests. In another embodiment, after a SBC switchover, the new SBC forks a mid-dialog request received for a first call to all active registered devices having the same address of record and determines based on the responses which device has an active dialog corresponding to the first call.

Abstract: Methods and apparatus for providing load balancing in a Software Defined Network (SDN). An exemplary embodiment includes the steps of: receiving by a Session Border Controller (SBC) cluster leader a first SIP invite message including a source IP address, assigning responsibility for processing the received message to a first SBC in a cluster of SBCs, and initiating by the first SBC installation of a first flow table entry into SDN switches used to control packet routing in an SDN network, the first flow table entry controlling SDN switches into which the first flow table entry is installed to replace a destination IP address in received packets which satisfy matching criteria of the first flow table entry with a first SBC IP ingress address of the first SBC and to route received packets matching the criteria of the first flow table entry based on the first SBC IP ingress address.

Abstract: Methods and apparatus for detecting VOIP spoofing attacks in systems that provide communication services over IP networks, for gathering information that can be used for preventing or mitigating future malicious attacks, are described. The methods and apparatus send various signals and check for expected responses. Actual responses and/or lack of responses to signals, e.g., messages, are detected, logged and used for making decisions as well as generating a record for informational purposes and analysis which can facilitate identification of common features of malicious packets and/or messages. The methods are well suited for use in a session border controller.

Abstract: A client device, e.g., a smartphone including a web browser, requests a call authorization token from a web server, e.g., a web page server. The web server, acting on behalf of a company, whose web page is hosted and whose phone corresponds to the called party, screens incoming requests and decides whether or not to issue an authorization token, e.g., a signed token including an encrypted portion. The web server issues a call authorization token and communicate the issued token to the client device. The client device includes the received issued call authorization token in a signal, e.g., a SIP INVITE signal, which it generates and sends to a session border controller (SBC). The session border controller processes the received authorization token and checks the authorization token to validate the received token. The SBC establishes a communications session if the received token passes the validation check.

Abstract: Methods and apparatus for supporting authentication for session border controller generated autonomous requests are described. In some embodiments, the session border controller stores a response to a challenge being communicated through the session border controller from an entity with authentication credentials, e.g., a user equipment device, to an authenticating entity. The stored response is available to be used by the SBC at a future time in generating an autonomous request that may be able to pass an authentication check by the authenticating entity. In some embodiments, a session border controller, which has received a challenge to a SBC generated autonomous request from an authenticating entity, generates and sends a request triggering signal to an entity with authentication credentials and subsequently uses the received challenge from the entity with authenticating entity to challenge and acquire a response, e.g., a authorization header, that can will satisfy the authenticating entity.

Abstract: Methods and apparatuses, including computer program products, are described for determining expiration time of bindings for NAT devices. A first device receives a first request including a first source IP address/port pair of a first NAT binding, and transmits a response. The first device receives a second request including a second source IP address/port pair of a second NAT binding, and transmits a response. The first device sets a refresh time T1 of the first NAT binding to be shorter than an expected minimum expiration time of the first NAT binding, transmits one or more messages via the second NAT binding where a sending interval time T2 of the second NAT binding is longer than T1, increments T2 when a response is received, and if a response to any of the messages is not received, sets T1 equal to the last T2 value for which a response was received.

Abstract: A client device, e.g., a smartphone including a web browser, requests a call authorization token from a web server, e.g., a web page server. The web server, acting on behalf of a company, whose web page is hosted and whose phone corresponds to the called party, screens incoming requests and decides whether or not to issue an authorization token, e.g., a signed token including an encrypted portion. The web server issues a call authorization token and communicate the issued token to the client device. The client device includes the received issued call authorization token in a signal, e.g., a SIP INVITE signal, which it generates and sends to a session border controller (SBC). The session border controller processes the received authorization token and checks the authorization token to validate the received token. The SBC establishes a communications session if the received token passes the validation check.

Abstract: The present invention relates to communications methods, apparatus and systems for correlating registrations with subsequent requests for service, e.g., calling or other services or active calls. In one embodiment requests and corresponding registrations are determined through a method of operating a session border controller (SBC) which includes the assignment of a registration instance identifier by the SBC to each registration request, sending a first message including the registration instance identifier to each user device in response to each registration request, and determining if subsequent requests correspond to the registration instance based on the registration instance identifier being included in subsequent requests. In another embodiment, after a SBC switchover, the new SBC forks a mid-dialog request received for a first call to all active registered devices having the same address of record and determines based on the responses which device has an active dialog corresponding to the first call.

Abstract: The present invention relates to communications methods, apparatus and systems for correlating registrations with subsequent requests for service, e.g., calling or other services or active calls. In one embodiment requests and corresponding registrations are determined through a method of operating a session border controller (SBC) which includes the assignment of a registration instance identifier by the SBC to each registration request, sending a first message including the registration instance identifier to each user device in response to each registration request, and determining if subsequent requests correspond to the registration instance based on the registration instance identifier being included in subsequent requests. In another embodiment, after a SBC switchover, the new SBC forks a mid-dialog request received for a first call to all active registered devices having the same address of record and determines based on the responses which device has an active dialog corresponding to the first call.

Abstract: The present invention relates to communications methods, apparatus and systems for efficiently managing NAPT bindings and mappings. An exemplary embodiment of operating a communication system includes the steps of (i) receiving, at a real-time communications entity, a media session offer from a device, (ii) transmitting, from the communications entity to a Network Address and Port Translation entity (NAPT), a request signal to allocate a public Internet Protocol (IP) address and port number pair corresponding to an interface on the NAPT for the session; (iii) determining, at the communications entity, a remote IP address and port number pair corresponding to an interface on the device to be used for communicating media of the media session; (iv) transmitting, from the communications entity to the NAPT, a signal identifying the determined remote IP address and port number pair; and (v) releasing, at the NAPT, the allocated public IP address and port number pair.

Abstract: Methods and apparatus for authenticating a user equipment device (UE) requesting services through a session border controller (SBC) are described. In some embodiments the SBC stores the challenge and response for a successfully authenticated UE and uses this information to authenticate the UE when the UE seeks access to a service, e.g., establishing a new TCP connection. In some other embodiments, in response to receiving an Invite request from a UE requesting service the SBC generates and sends a Registration request to an authentication entity on behalf of the UE to trigger an authentication process. If the UE is authenticated the SBC allows service access, e.g., allows a call to proceed, otherwise denies service to the UE.

Abstract: Systems and methods for user device registration are disclosed. In certain embodiments, at least a first edge device in a group of edge devices enters a mass-restart mode. The first edge device receives a request for registration from a user device and determines whether the user device is currently registered through the first edge device. The first edge device generates a notification associated with the user device if the user device is not currently registered through the first edge device. A second edge device in the group of edge devices receives the notification and determines whether the user device is currently registered through the second edge device based on the notification. Registration information about the user device is deleted from the second edge device if the user device is currently registered through the second edge device.

Abstract: Methods and apparatus for authenticating a user equipment device (UE) requesting services through a session border controller (SBC) are described. In some embodiments the SBC stores the challenge and response for a successfully authenticated UE and uses this information to authenticate the UE when the UE seeks access to a service, e.g., establishing a new TCP connection. In some other embodiments, in response to receiving an Invite request from a UE requesting service the SBC generates and sends a Registration request to an authentication entity on behalf of the UE to trigger an authentication process. If the UE is authenticated the SBC allows service access, e.g., allows a call to proceed, otherwise denies service to the UE.

Abstract: A first media packet from a first endpoint of an access network behind a NAPT device is received by a media device between a core network and the access network. The first media packet includes a first source IP address and port combination identifying the first endpoint. An UPDATE request or a reINVITE request is transmitted by the media device. A second IP address and port combination for the media device to receive future media packets from the first endpoint is negotiated. The media device compares a first IP address of the first source IP address and port combination to a second IP address of a second source address and port combination for a second media packet received on the second IP address and port combination. If the first and second IP addresses match, the media device relays media packets from the core network to the first endpoint.

Abstract: Methods and apparatus for processing and using TCP packets to communicate RTP packets are described. Head of line blocking is avoided by operating a TCP packet processing module to output RTP packet data to an application irrespective of whether or not a preceding TCP packet was received. Since output of packet data to an application using RTP packets is not delayed when there is a missing TCP packet, head of line blocking is avoided. RTP packet data is subjected to pattern matching in order to identify and process RTP packets in the case where RTP header information such as packet length information is missing due to the failure to receive a TCP packet. The methods are particularly well suited for the communication of audio and/or video by devices operating behind firewalls which block UDP or other types of packets other than TCP packets.

Abstract: Methods and apparatus for processing and using TCP packets to communicate RTP packets are described. Head of line blocking is avoided by operating a TCP packet processing module to output RTP packet data to an application irrespective of whether or not a preceding TCP packet was received. Since output of packet data to an application using RTP packets is not delayed when there is a missing TCP packet, head of line blocking is avoided. RTP packet data is subjected to pattern matching in order to identify and process RTP packets in the case where RTP header information such as packet length information is missing due to the failure to receive a TCP packet. The methods are particularly well suited for the communication of audio and/or video by devices operating behind firewalls which block UDP or other types of packets other than TCP packets.

Abstract: Methods and apparatus for sharing bandwidth over a link in a packet-oriented telecommunications system or network that supports multiple types of traffic including, e.g., real time packet flows, opportunistic rate packet flows, control and signaling traffic, are described. In one exemplary embodiment the method includes the steps of receiving a bandwidth allocation request requesting allocation of a required amount of bandwidth for a new real time packet flow, allocating the requested bandwidth from bandwidth reserved for newly-allocated real time packet flows, updating the measure of the total amount of bandwidth allocated to real time packet flows to reflect the allocation of the bandwidth to the new real time packet flow, and generating new bandwidth allocations for existing opportunistic rate packet flows based on a measure of the total amount of bandwidth allocated to real time packet flows. Some embodiments of the invention include methods to enforce the dynamic bandwidth allocations.

Abstract: Features relating to communicating delay information and minimizing aggregate processing delays corresponding to content streams, e.g., audio and video streams, in a multi-media communication session while still achieving stream synchronization, are described. Some embodiments are well suited for systems where video and audio streams are transcoded by different entities. In some embodiments downstream entities, e.g., transcoder and/or receiving end device, are informed about the delay introduced to at least one stream by one or more upstream devices, e.g., a transcoder. The downstream entity synchronizes the received content streams by adding artificial latency as needed to the relevant one of the streams based on the received delay information thereby avoiding unnecessary introduction of artificial delays at every transcoding node in the path.